Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2038
Views
0
Helpful
2
Replies

ASA Redundant interface

mvandorp
Level 1
Level 1

‎08-10-2009 01:20 AM - edited ‎03-11-2019 09:04 AM

Hi,

I'm setting up 2 ASAs in failover mode. For added availability I'm using Redundant interfaces.

Ethernet0/0 is a 1Gbps interface

Ethernet0/2 is a 100Mbps interface

Both are combined into Redundant1

The same is ddone for the other 2:

Ethernet0/1 is a 1Gbps interface

Ethernet0/3 is a 100Mbps interface

Both are combined into Redundant2

I use 2 contexts, and each context has it's own Redundant interface

(All other interfaces are through the 4-port RJ45/SFP module).

In both Redundant inrterfaces, the 1Gbps is the primary, and the 100Mbps is the secondary interface.

When configured, all works as expected.

HOWEVER:

When I disconnect the 1Gbps link, a switchover occurs to the secondary (100Mbps) link. Connectivity is maintained.

When I reconnect the 1Gbps link, there is NO switchback! (like the preempt option with context failover).

Ofcourse I prefer the 1Gbps link to be active.

Is there a way to accomplish this?

If not: Is there a SNMP way to monitor this? (I now about the show int Red1 | grep Member and redundant-interface red1 active-member e0/0 commands).

Looking forward to your reply,

Marcel

)

Labels:
0 Helpful
2 Replies 2

vmoopeung
Level 5
Level 5

‎08-14-2009 11:35 AM

The security appliance determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, the unit sends interface hello messages on each interface, including the failover interface, to validate whether or not the peer interface is responsive. The action that the security appliance takes depends upon the response from the other unit. See the following possible actions:

•If the security appliance receives a response on the failover interface, then it does not fail over.

•If the security appliance does not receive a response on the failover link, but receives a response on another interface, then the unit does not failover. The failover link is marked as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby while the failover link is down.

•If the security appliance does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed.

If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1042444

0 Helpful

usmanpk79
Level 1
Level 1

‎09-24-2013 10:37 PM

Hi Mvandorp!

Unfortunately there is no preemption mechanisam available for ASA Redundant interface the only option is to use

the command redundant-interface redundant 1 active-member in order to make the Primary Interface

active again.

To check the details refer to the following URLs:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062371

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card